Metaphysiker Metaphysiker - 1 year ago 67
Ruby Question

How to sanitize user input for the gem acts-as-taggable-on, Ruby on Rails

At the moment, my code looks like this:

@events = Event.tagged_with(params[:search_input])

But such a query allows SQL-Injections and should be avoided. tells us, how to avoid such attacks (

For example, using questionmarks:

Model.where("login = ? AND password = ?", entered_user_name, entered_password).first

However, I don't know, how to sanitize the user input for this gem. I tried the following:

@events = Event.tagged_with("?", "%#{params[:search_input]}%")

But this leads to the following error:

TypeError (no implicit conversion of Symbol into String):

Any ideas, how to sanitize this input? Thanks in advance!

Answer Source

In this case, the acts_as_taggable_on gem is handling the sanitization for you. All you need to do is pass your params value to the gem. Try this:

@events = Event.tagged_with(params[:search_input])

Typically, you would use the approach that you were attempting when you interact directly with ActiveRecord. In this case, acts_as_taggable_on is doing all of that for you, internally, using the query parameter mechanism. The interface to the gem doesn't allow you to also use parameterization, which is what caused the error.